NYC Health + Hospitals breached

NYC Health + Hospitals disclosed on March 24 that an unauthorized actor copied files from parts of its network after gaining access between about November 25, 2025 and February 11, 2026. The public hospital system said it discovered suspicious activity on February 2, secured its network, opened an investigation and hired outside cybersecurity professionals. (nychealthandhospitals.org) The data involved may include medical, insurance, billing and financial information, along with biometric records including fingerprints and palm prints. TechCrunch reported this week that the breach affects at least 1.8 million people, making it one of the larger healthcare breaches reported so far in 2026. ### How did NYC Health + Hospitals say the intrusion happened? (nychealthandhospitals.org) NYC Health + Hospitals said in its public notice that the unauthorized actor “may have gained access” because of a security breach at a third-party vendor. The system did not name the vendor in that notice, and Biometric Update reported that the vendor remains unnamed. The March 24 notice also said the review of affected individuals and specific data elements was still ongoing. Becker’s Hospital Review reported that the system reset credentials for affected accounts, strengthened detection systems and updated remote-access policies as part of its response. (nychealthandhospitals.org) ### What kinds of data were exposed? NYC Health + Hospitals said the compromised information varies by person, but may include health insurance data, medical information, biometric data, billing and claims records, and other personal information. The notice lists examples including medical record numbers, diagnoses, medications, test results, treatment plans, Social Security numbers, driver’s license numbers, payment-card numbers, financial account information, online account credentials, fingerprints and palm prints. (nychealthandhospitals.org) The biometric element stands out because fingerprints and palm prints are persistent identifiers. The Next Web, citing the breach details, reported that the attackers had access for more than two months before detection and that the exposed biometric data is not the kind of information people can easily replace after a breach. (beckershospitalreview.com) That is an inference from the nature of biometric identifiers, not a statement by the hospital system. ### Why does the vendor angle matter in a hospital breach? Biometric Update reported that the intrusion may have originated through a breach at a third-party vendor, echoing the language in the hospital system’s own notice. That matters because hospital networks often rely on outside firms for billing, software, analytics, claims processing and other services that can carry broad access to patient data and internal systems. (nychealthandhospitals.org) Proofpoint and the Ponemon Institute said in a 2024 healthcare cybersecurity report that 68% of surveyed healthcare organizations had experienced a supply-chain attack, and 82% of those respondents said the incident disrupted patient care. That report was cited by IT Pro in coverage published on May 18. (thenextweb.com) ### How does this fit into broader hospital cyber risk? IT Pro reported on May 18 that only 14% of healthcare respondents in recent research said they were confident they could lose access to health records for 72 hours without putting patients at risk. The same report said cyberattacks are increasingly affecting patient care, not just back-office systems. (biometricupdate.com) HHS’s Office for Civil Rights says it posts breaches affecting 500 or more people and investigates such incidents under the HIPAA breach notification framework. TechCrunch reported that NYC Health + Hospitals submitted the incident to HHS, and the health system’s own notice says the posting is being made under HIPAA rules. (itpro.com) ### What should affected patients watch for next? NYC Health + Hospitals said its website notice will remain posted through June 23, 2026, and its toll-free response line — 844-403-4518 — will remain active at least until that date. The system said people can use those channels to learn whether their information may have been impacted. (itpro.com) The next concrete milestone is the completion of the hospital system’s review of affected individuals and data elements, which the notice says is still ongoing. Any updated filings with HHS, direct notices to affected people, or additional disclosures by NYC Health + Hospitals would provide the clearest public record of scope and follow-up steps. (nychealthandhospitals.org) (ocrportal.hhs.gov)